[squid-users] [SOLVED] Transparent HTTPS Squid proxy with upstream parent

Michael Ludvig michael.ludvig at enterpriseit.co.nz
Tue Nov 24 22:34:31 UTC 2015

On 24/11/15 18:26, Amos Jeffries wrote:
> That is two separate and entirely different traffic types:
> A) [client] -> HTTP--(NAT)--> [my_proxy]
> B) [client] -> TLS--(NAT)--> [my_proxy]
> (A) requires "http_port ... intercept ssl-bump cert=/path/to/cert"
> (B) requires "https_port ... intercept ssl-bump cert=/path/to/cert"
> above is the minimum configuration. The generate-* etc settings you
> mention below are useful as well.
> In order to impersonate the server you also need to fetch the server 
> details (peek or stare at step2), then bump at step3.

Yay, that seems to work! Here is the working config for [my_proxy]:

http_port 3128
http_port 8080 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on \
     dynamic_cert_mem_cache_size=4MB cert=/etc/squid/my-proxy.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

#ssl_bump peek step1    # <- enabling this breaks it
ssl_bump stare step2
ssl_bump bump step3

cache_peer parent.example.com parent 3129 0 no-query ssl
never_direct allow all

And two iptables rules:

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT 
--to-ports 8080
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT 
--to-ports 8443

Now the clients can either go explicitly to proxy on port 3128 or those 
who don't support setting proxy have [my_proxy] as their default gateway 
and the transparent proxy setup kicks in.

Thanks a lot Amos for your help!


More information about the squid-users mailing list